To see if this document has been published in an e-OJ with legal value, click on the icon above (For OJs published before 1st July 2013, only the paper version has legal value).

Multilingual display

Language 1 Language 2 Language 3

Text

12.1.2017

EN

Official Journal of the European Union

C 9/3

Summary of the Opinion of the European Data Protection Supervisor on the first reform package on the Common European Asylum System (Eurodac, EASO and Dublin regulations)

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2017/C 9/04)

Since several years, Europe is faced with a pressing migration and refugee crisis, which became even more challenging in 2015. Therefore, the Commission proposed to reform the Dublin Regulation in order to adapt it to the current situation. This reform is combined with a Proposal for the creation of a European Union Agency for Asylum, to assist Member States to perform their duties regarding asylum.

Since it was established, Eurodac has served the purpose of providing fingerprint evidence to determine the Member State responsible for examining the asylum application made in the EU.

A recast of the Eurodac Regulation was also proposed by the Commission. The main change in this Regulation is the extension of the scope of Eurodac to register the third country nationals illegally found in a Member State or apprehended in connection with the irregular crossing of a border of a Member State with a third country.

The EDPS recognises the need for more effective management of migration and asylum in the EU. However, he recommends important improvements to better consider the legitimate rights and interests of the relevant individuals who may be affected by the processing of personal data, in particular of vulnerable groups of people requiring specific protection such as migrants and refugees.

In his Opinion, the EDPS recommends, among others, the following main points:

—

mentioning in the Dublin Regulation that the introduction of the use of unique identifier in the Dublin database may not, in any case, be used for other purposes than the purposes described in the Dublin Regulation;

—

the performing of a full data protection and privacy impact assessment in the Eurodac recast 2016 in order to measure the privacy impact of the new text proposed and of the extension of the scope of Eurodac database;

—

conducting an assessment of the need to collect and use the facial images of the categories of persons addressed in the Eurodac recast 2016 and on the proportionality of their collection, relying on a consistent study or evidence-based approach;

—

conducting a detailed assessment of the situation of minors and a balance between the risks and harms of the procedure of taking fingerprints of the minors and the advantages they can benefit, in addition to the Explanatory Memorandum.

The Opinion further defines other shortcomings of the different proposals and identifies additional recommendations in terms of data protection and privacy that should be taken in consideration in the legislative process.

I. INTRODUCTION AND BACKGROUND

1.

On April 2016, the Commission adopted a Communication entitled ‘Towards a reform of the Common European Asylum System legal avenues to Europe’ (1), defining priorities for improving the Common European Asylum System (CEAS). In this context, on 4 May 2016, the Commission issued three proposals as part of a first package of reform of the CEAS:

—

a Proposal for a Regulation of the European Parliament and of the Council on the establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third country national or a stateless person (hereinafter ‘the Dublin Proposal’) (2);

—

a Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Asylum and repealing Regulation (EU) No 439/2010 (hereinafter ‘the Proposal for a European Union Agency for Asylum’ or ‘the EUAA Proposal’) (3); and

—

a Proposal for a Regulation of the European Parliament and of the Council on amending Regulation (EU) No 603/2013 on the establishment of Eurodac for the comparison of fingerprints for the effective application of [Regulation (EU) No 604/2013] establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third country national or a stateless person, for identifying an illegally staying third country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes (recast 2016) (hereinafter ‘the Eurodac Recast 2016 Proposal’) (4).

2.

The EDPS was consulted informally before the publication of the Eurodac Recast and the EASO Proposal and communicated informal comments to the Commission on both texts.

3.

The EDPS understands the need for the EU to address the challenges of the migration and refugee crisis since 2015, as well as the need to have an effective and harmonised EU policy to tackle irregular immigration that occurs within the EU as well as to the EU. In full respect for the role of the legislator in assessing the necessity and the proportionality of the proposed measures, the EDPS, in his advisory role, will provide in this Opinion some recommendations in terms of data protection and privacy, in order to help the legislator to meet the requirements of Articles 7 and 8 of the Charter of Fundamental Rights regarding the rights to privacy and data protection and Article 16 of the Treaty on the Functioning of the EU.

4.

The EDPS will first address the main recommendations regarding the three proposals. These main recommendations represent the major issues observed by the EDPS and that should in any event be addressed in the legislative process. Additional recommendations are the points identified by the EDPS as requiring clarification, additional information, or minor modifications. This distinction should help the legislator to give priority to the major issues addressed by this Opinion.

IV. CONCLUSION

68.

The EDPS welcome the efforts in terms of data protection in the different texts. He can see that the culture of data protection is becoming part of the legislative process and can also be observed in the drafting of the proposals.

69.

In full respect for the role of the legislator in assessing the necessity and the proportionality of the proposed measures, the EDPS, in his advisory role, provides in this Opinion some recommendations in terms of data protection and privacy with regard to the three proposals examined.

70.

Regarding the Dublin Proposal, the EDPS expresses concerns about the fact that the unique identifier might be used for other purposes, for example for identifying the individuals in other databases, making the comparison of databases easy and simple. The EDPS recommends specifying that any other use of the identifier should be prohibited.

71.

Regarding the Eurodac recast Proposal, the EDPS considers that extension of the scope of Eurodac raises concern regarding the respect of the purpose limitation principle as enshrined in Article 7 of the Charter of Fundamental Rights of the EU. The EDPS also recommends further specifying the types of measures other than removal and repatriation that could be taken by the Member States on the basis of the Eurodac data. The EDPS recommends that the Commission make available a full data protection and privacy impact assessment of the Eurodac recast 2016 in order to measure the privacy impact of the text proposed.

72.

The EDPS is also concerned about the inclusion of facial images: the Regulation does not refer to any assessment of the need to collect and use the facial images of the categories of persons addressed in the Eurodac recast Proposal. Moreover, the EDPS considers that Proposal should clarify the cases in which a comparison of fingerprints and/or facial images shall take place, since the drafting of the recast Proposal seems to imply that such a comparison should take place systematically.

73.

The EDPS also recommends that a detailed assessment is made available with regard to the situation of minors, the balance between the risks and harms of such procedure for the minors and the advantages they can benefit from, in addition to the Explanatory Memorandum. In this context, the regulation should further define (i.e. in a recital) the meaning of taking the fingerprints of minors in a child-friendly manner.

74.

Concerning the retention period, which will be in principle of five years, the EDPS recommends giving more details and explanation why and how a data retention period of five years was considered as necessary in this context to achieve the new purposes of the Eurodac database. Moreover, the EDPS recommends reducing the retention period to the actual length of the entry ban upon a specific individual. Finally, the EDPS recommends specifying in the Proposal that the starting point of the retention period will be the date of the first fingerprinting processed by a Member State.

75.

Finally, the EDPS recommends blocking of all data for law enforcement purposes after three years, and stop making a difference between different categories of non-EU individuals with this respect.

76.

In addition of the main shortcomings identified above, the recommendations of the EDPS in the present Opinion concern the following aspects:

—

regarding the Eurodac recast proposal,

—

The EDPS recommends specifying in the text of the Proposal that the final responsibility of the processing of personal data will be with the Member States which will be considered as controllers within the meaning of the Directive 95/46/EC.

—

Article 37 should be redrafted to clarify in which case an international transfer is allowed or prohibited, and specifically concerning the transfer to the applicant's country of origin.

—

Article 38(1) should specify that only the data strictly necessary for the purpose of return can be transferred by the Member States.

—

Coercion should not be allowed to obtain fingerprints of individuals. This should be specified in the Eurodac Regulation.

—

In this context, the EDPS recommends clarifying that detention should not be considered as a sanction for non-compliance with the obligation to provide fingerprints.

—

The use of real data by eu-LISA for testing purposes raises a serious concern and should not be allowed by the Eurodac Regulation. The alternative of using non real data should be considered and assessed by the legislator, considering the risk for the privacy of the concerned individuals. In any case, the text should not consider that biometric data can be anonymised, since they will always relate to an individual and therefore be considered as personal data.

—

Regarding the processing of information by eu-LISA, the EDPS recommends specifying that appropriate safeguards regarding the access to the data by external contractors must be put in place.

—

Finally, the EDPS welcomes the efforts to make sure that access by law enforcement authorities is assessed by an independent body. However, designated authorities and verifying authorities should not be part of the same organisation, in order to preserve the independence of the verifying authority.

—

regarding the EUAA Proposal,

—

The EDPS recommends specifying that the experts of the Agency should only be allowed to access databases in compliance with the legal acts governing these databases and data protection rules.

—

The EDPS recommends further specifying what is meant by administrative purposes in Article 30(3), since any purpose pursued by an administration could qualify under this term.

—

The EDPS recommends clarifying the responsibilities for ensuring the security of the equipment used by the Agency which should be defined at all steps of the lifecycle of the equipment, namely from its acquisition, throughout its storage and use, and ending with its disposal.